Identity Theft: Trends and Issues

Transcription

1 Kristin M. Finklea Specialist in Domestic Security February 15, 2012 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research Service R40599

2 Summary In the current fiscal environment, policymakers are increasingly concerned with securing the economic health of the United States including combating those crimes that threaten to further undermine the nation s financial stability. Identity theft is one such crime. In 2010, about 8.1 million Americans were reportedly victims of identity fraud, and the average identity fraud victim incurred a mean of $631 in costs as a result of the fraud the highest level since Identity theft is often committed to facilitate other crimes such as credit card fraud, document fraud, or employment fraud, which in turn can affect not only the nation s economy but its security. Consequently, in securing the nation and its economic health, policymakers are also tasked with reducing identity theft and its impact. Identity theft has remained the dominant consumer fraud complaint to the Federal Trade Commission (FTC). Nevertheless, while the number of overall identity theft complaints generally increased between when the FTC began recording identity theft complaints in 2000 and 2008, the number of complaints decreased in both 2009 and Prosecutions of federal identity theft violations have followed a similar pattern. However, while the number of identity theft cases filed and the number of defendants convicted both decreased in FY2009 and FY2010 relative to FY2008, the numbers of aggravated identity theft cases filed and defendants convicted have continued to increase. Congress continues to debate the federal government s role in (1) preventing identity theft and its related crimes, (2) mitigating the potential effects of identity theft after it occurs, and (3) providing the most effective tools to investigate and prosecute identity thieves. With respect to preventing identity theft, one issue concerning policymakers is the prevalence of personally identifiable information and in particular, the prevalence of Social Security numbers (SSNs) in both the private and public sectors. One policy option to reduce their prevalence may involve restricting the use of SSNs on government-issued documents such as Medicare identification cards. Another option could entail providing federal agencies with increased regulatory authority to curb the prevalence of SSN use in the private sector. In debating policies to mitigate the effects of identity theft, one option Congress may consider is whether to strengthen data breach notification requirements. Such requirements could affect the notification of relevant law enforcement authorities as well as any individuals whose personally identifiable information may be at risk from the breach. Congress may also be interested in assessing the true scope of data breaches, particularly involving government networks (e.g., S. 2105). There have already been several legislative and administrative actions aimed at curtailing identity theft. Congress enacted legislation naming identity theft as a federal crime in 1998 (P.L ) and later provided for enhanced penalties for aggravated identity theft (P.L ). In April 2007, the President s Identity Theft Task Force issued recommendations to combat identity theft, including specific legislative recommendations to close identity theft-related gaps in the federal criminal statutes. In a further attempt to curb identity theft, Congress directed the FTC to issue an Identity Theft Red Flags Rule (effective December 31, 2010), requiring that creditors and financial institutions with specified account types develop and institute written identity theft prevention programs. Congressional Research Service

3 Contents Introduction... 1 Definitions of Identity Theft... 2 Theft vs. Fraud... 3 Knowledge Element... 3 Legislative History... 3 Identity Theft Assumption Deterrence Act... 4 Identity Theft Penalty Enhancement Act... 4 Identity Theft Enforcement and Restitution Act of Identity Theft Task Force... 5 Recommendations... 5 Legislative Recommendations... 6 Red Flags Rule... 7 Trends in Identity Theft... 9 Perpetrators Investigations and Prosecutions Federal Bureau of Investigation (FBI) United States Secret Service (USSS) United States Postal Inspection Service (USPIS) Social Security Administration Office of the Inspector General (SSA OIG) Immigration and Customs Enforcement Department of Justice Domestic Impact Credit Card Fraud Document Fraud Employment Fraud Data Breaches and Identity Theft Potential Issues for Congress Identity Theft Prevention Securing Social Security Numbers Effects of Data Breaches Deterrence and Punishment Selected Legislation from the 112 th Congress Social Security Numbers...27 Law Enforcement and Consumer Notification Figures Figure 1. FTC Consumer Complaint Data Figure 2. FTC Identity Theft Complaint Data Figure 3. Federal Identity Theft and Aggravated Identity Theft Cases Figure 4. FTC Identity Theft Complaints, Figure 5. Total Number of Reported Data Breaches and Records Affected Congressional Research Service

4 Contacts Author Contact Information Congressional Research Service

5 Introduction In the current fiscal environment, policymakers are increasingly concerned with securing the economic health of the United States including combating those crimes that threaten to further undermine the nation s financial stability. 1 Identity theft, for one, poses both security and economic risks. By some estimates, identity fraud cost Americans $37 billion in FTC complaint data indicate that the most common fraud complaint received (19% of all consumer fraud complaints) is that of identity theft. 3 In 2010, for instance, about 8.1 million Americans were reportedly victims of identity fraud. This is a decrease of about 3 million from the approximately 11.1 million who were victimized in Despite this decline in the overall number of reported identity fraud incidents, difficulty in detecting and resolving these incidents may have contributed in higher consumer costs; the average identity fraud victim incurred a mean of $631 the highest level since An increase in globalization and a lack of cyber borders provide an environment ripe for identity thieves to operate from within the nation s borders as well as from beyond. Federal law enforcement is thus challenged with investigating criminals who may or may not be operating within U.S. borders; may have numerous identities actual, stolen, or cyber; and may be acting alone or as part of a sophisticated criminal enterprise. 6 In addition, identity theft is often interconnected with various other criminal activities. These activities range from credit card and bank fraud to immigration and employment fraud. In turn, the effects felt by individuals and businesses who have fallen prey to identity thieves extend outside of pure financial burdens; identity thieves affect not only the nation s economic health, but its national security as well. Consequently, policymakers may debate the federal government s role in preventing identity theft and its related crimes, mitigating the potential effects of identity theft after it occurs, and providing the most effective tools to investigate and prosecute identity thieves. This report first provides a brief federal legislative history of identity theft laws. It analyzes the current trends in identity theft, including prevalent identity theft-related crimes, the federal agencies involved in combating identity theft, and the trends in identity theft complaints and prosecutions. The report also discusses the relationship between data breaches and identity theft as well as possible effects of the FTC s Identity Theft Red Flags Rule, effective December 31, It also examines possible issues for Congress to consider. 1 See, for example, U.S. Congress, House Committee on Ways and Means, Role of Social Security Numbers in Identity Theft and Options to Guard Their Privacy, 112 th Cong., 1 st sess., April 13, Javelin Strategy & Research, 2011 Identity Fraud Survey Report: Consumer Version, February Federal Trade Commission, Consumer Sentinel Network Data Book for January December, 2010, March, 2011, 4 Javelin Strategy & Research, 2011 Identity Fraud Survey Report: Consumer Version, February Ibid. 6 For more information on these challenges, see CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement, by Kristin M. Finklea. Congressional Research Service 1

6 Definitions of Identity Theft When does taking and using someone else s identity become a crime? Current federal law defines identity theft as a federal crime when someone knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law. 7 The current federal law also provides enhanced penalties for aggravated identity theft when someone knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person in the commission of particular felony violations. 8 Aggravated identity theft carries an enhanced two-year prison sentence for most specified crimes and an enhanced five-year sentence for specified terrorism violations. Identity theft is also defined in the Code of Federal Regulations (CFR) as fraud committed or attempted using the identifying information of another person without permission. 9 Identity theft can both facilitate and be facilitated by other crimes. For example, identity theft may make possible crimes such as bank fraud, document fraud, or immigration fraud, and it may be aided by crimes such as theft in the form of robbery or burglary. 10 Therefore, one of the primary challenges in analyzing the trends in identity theft (e.g., offending, victimization, or prosecution rates) as well as the policy issues that Congress may wish to consider arises from this interconnectivity between identity theft and other crimes U.S.C. 1028(a)(7). 8 These felony violations as outlined in 18 U.S.C. 1028A include theft of public money, property, or records; theft, embezzlement, or misapplication by bank officer or employee theft from employee benefit plans; false personation of citizenship; false statements in connection with the acquisition of a firearm; fraud and false statements; mail, bank, and wire fraud; specified nationality and citizenship violations; specified passport and visa violations; obtaining customer information by false pretenses; specified violations the Immigration and Nationality Act relating to willfully failing to leave the United States after deportation and creating a counterfeit alien registration card and various other immigration offenses; specified violations of the Social Security Act relating to false statements relating to programs under the act; and specified terrorism violations. The basic penalty for identity theft under 18 U.S.C ranges from not more than five years imprisonment to not more than 30 years, depending on the circumstances. 9 According to the CFR definitional section for the Fair Credit Reporting Act (16 C.F.R ), [t]he term identifying information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any (1) Name, Social Security number, date of birth, official State or government issued driver s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)). 10 Graeme R. Newman and Megan M. McNally, Identity Theft Literature Review, Prepared for presentation and discussion at the National Institute of Justice Focus Group Meeting to develop a research agenda to identify the most effective avenues of research that will impact on prevention, harm reduction and enforcement, Contract #2005-TO-008, January 2005, Congressional Research Service 2

7 Theft vs. Fraud Identity theft and identity fraud are terms that are often used interchangeably. Identity fraud 11 is the umbrella term that refers to a number of crimes involving the use of false identification though not necessarily a means of identification belonging to another person. Identity theft is the specific form of identity fraud that involves using the personally identifiable information of someone else. Both identity fraud and identity theft are crimes often committed in connection with other violations, as mentioned above. Identity theft, however, may involve an added element of victimization, as this form of fraud may directly affect the life of the victim whose identity was stolen in addition to defrauding third parties (such as the government, employers, consumers, financial institutions, and health care and insurance providers, just to name a few). This report, however, maintains a focus on identity theft rather than the broader term of identity fraud. Knowledge Element Another definitional issue is one that was recently before the U.S. Supreme Court. The statutory definitions of identity theft and aggravated identity theft indicate that they are crimes when someone knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person in conjunction with specified felony violations outlined in the U.S. Code. The definitional element under question was the word knowingly. In Flores- Figueroa v. United States, the Court decided that in order to be found guilty of aggravated identity theft, a defendant must have knowledge that the means of identification he used belonged to another individual. 12 It is not sufficient to only have knowledge that the means of identification used was not his own. Although the case before the Court specifically involved aggravated identity theft, the issue may apply to the identity theft statute as well, due to its overlap in wording about the element of knowledge. Since the Court has issued its final decision in Flores-Figueroa v. United States, Congress may wish to consider whether there is a need to clarify the difference between these two types of knowledge in the U.S. Code. If a clarification is warranted, Congress may wish to consider whether the identity theft and aggravated identity theft statutes should be amended to reflect the definitions of both types of knowledge. Legislative History 13 Until 1998, identity theft was not a federal crime. 14 Leading up to Congress designating identity theft as a federal crime, identity fraud was on the rise, and the Internet was increasingly being 11 Identity fraud became a federal crime through the False Identification Crime Control Act of 1982 (P.L ), and it is codified at 18 U.S.C Flores-Figueroa v. United States, 129 S. Ct (2009). 13 The legislation described in this section covers those Acts directly related to the identity theft statutes. Other statutes, such as the credit reporting statutes, indirectly address identity theft by possibly assisting victims, however, they are not discussed here. For more information on the scope of federal laws relating to identity theft, see archived CRS Report RL31919, Federal Laws Related to Identity Theft, by Gina Stevens. See also CRS Report RL31666, Fair Credit Reporting Act: Rights and Responsibilities, by Margaret Mikyung Lee. 14 The first state to enact an identity theft law was Arizona in Congressional Research Service 3

8 used as a method of defrauding innocent victims. Law enforcement and policymakers suggested that the current laws at the time were ineffective at combating the growing prevalence of identity theft; 15 the laws were not keeping up with technology, and stronger laws were needed to investigate and punish identity thieves. 16 In addition, policymakers also suggested that industries that handled records containing individuals personally identifiable information such as credit, medical, and criminal records needed superior methods to ensure the validity of the information they collected and utilized. Identity Theft Assumption Deterrence Act In 1998, Congress passed the Identity Theft Assumption Deterrence Act (P.L ), which criminalized identity theft at the federal level. In addition to making identity theft a crime, this act provided penalties for individuals who either committed or attempted to commit identity theft and provided for forfeiture of property used or intended to be used in the fraud. It also directed the Federal Trade Commission (FTC) to record complaints of identity theft, provide victims with informational materials, and refer complaints to the appropriate consumer reporting and law enforcement agencies. The FTC now records consumer complaint data and reports it in the Identity Theft Data Clearinghouse; identity theft complaint data are available for 2000 and forward. 17 Identity Theft Penalty Enhancement Act Congress further strengthened the federal government s ability to prosecute identity theft with the passage of the Identity Theft Penalty Enhancement Act (P.L ). 18 This act established penalties for aggravated identity theft, in which a convicted perpetrator could receive additional penalties (two to five years imprisonment) for identity theft committed in relation to other federal crimes. Examples of such federal crimes include theft of public property, theft by a bank officer or employee, theft from employee benefit plans, false statements regarding Social Security and Medicare benefits, several fraud and immigration offenses, and specified felony violations pertaining to terrorist acts. Identity Theft Enforcement and Restitution Act of 2008 Most recently, Congress enhanced the identity theft laws by passing the Identity Theft Enforcement and Restitution Act of 2008 (Title II of P.L ). Among other elements, the act authorized restitution to identity theft victims for their time spent recovering from the harm caused by the actual or intended identity theft. 15 Before identity theft became a federal crime, identity fraud had been established as a crime in the False Identification Crime Control Act of 1982 (P.L ). However, the identity fraud statute did not contain a specific theft provision. 16 From remarks James Bauer, Deputy Assistant Director, Office of Investigations, U.S. Secret Service, before the U.S. Congress, Senate Committee on the Judiciary, Subcommittee on Technology, Terrorism, and Government Information, The Identity Theft and Assumption Deterrence Act, 105 th Cong., 2 nd sess., May 20, Unless otherwise noted in this report, all dates refer to calendar years rather than fiscal years. 18 Aggravated Identity Theft is codified at 18 U.S.C. 1028A. Congressional Research Service 4

9 Identity Theft Task Force In addition to congressional efforts to combat identity theft, there have been administrative efforts as well. The President s Identity Theft Task Force (Task Force) was established in May 2006 by Executive Order The task force was created to coordinate federal agencies in their efforts against identity theft, and it was charged with creating a strategic plan to combat (increase awareness of, prevent, detect, and prosecute) identity theft. It was composed of representatives from 17 federal agencies. 20 Recommendations In April 2007, the task force authored a strategic plan for combating identity theft in which it made recommendations in four primary areas: preventing identity theft by keeping consumer data out of criminals hands, preventing identity theft by making it more difficult for criminals to misuse consumer data, assisting victims in detecting and recovering from identity theft, and deterring identity theft by increasing the prosecution and punishment of identity thieves. 21 With respect to identity theft prevention, the task force suggested that decreasing the use of Social Security numbers (SSNs) in the public sector and reviewing the use of SSNs in the private sector could help prevent identity theft. Also, the task force suggested that educating employers and individuals on how to safeguard data, as well as establishing national data protection and breach notification standards, could further aid in preventing identity theft. Relating to victim assistance, the task force suggested that identity theft victims may be better served if first responders were specially trained to assist this particular class of victim. It also addressed victim redress by recommending that identity theft victims be able to obtain an alternative identification document after the theft of their identities. Through the Identity Theft Enforcement and Restitution Act of 2008 (Title II of P.L ), Congress responded to the task force s recommendation that criminal restitution statutes allow victims to be compensated for their time in recovering from the actual or attempted identity theft. 19 Executive Order 13402, Strengthening Federal Efforts To Protect Against Identity Theft, 71 Federal Register 93, May 15, Members of the task force included the Attorney General (chair), the Chairman of the Federal Trade Commission (co-chair), the Secretary of the Treasury, the Secretary of Commerce, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, the Secretary of Homeland Security, the Director of the Office of Management and Budget, the Commissioner of Social Security, the Chairman of the Board of Governors of the Federal Reserve System, the Chairperson of the Board of Directors of the Federal Deposit Insurance Corporation, the Comptroller of the Currency, the Director of the Office of Thrift Supervision, the Chairman of the National Credit Union Administration Board, the Postmaster General, the Director of the Office of Personnel Management, and the Chairman of the Securities and Exchange Commission. 21 The President s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 23, 2007, at Congressional Research Service 5

10 Regarding identity theft deterrence, the task force recommended enhancing information gathering and sharing between domestic law enforcement agencies and the private sector, ramping up identity theft training for law enforcement and prosecutors, and increasing enforcement and prosecution of identity theft. The task force also promoted international cooperation to decrease identity theft through identifying countries that may be safe havens for identity thieves, encouraging anti-identity theft legislation in other countries, and increasing international cooperation in the investigation and prosecution of identity theft. Legislative Recommendations More specifically, the task force recommended that Congress close gaps in the federal criminal statues to more effectively prosecute and punish identity theft-related offenses by amending the identity theft and aggravated identity theft statutes so that thieves who misappropriate the identities of corporations and organizations and not just the identities of individuals can be prosecuted, amending the aggravated identity theft statute by adding new crimes as predicate offenses for aggravated identity theft violations, amending the statute criminalizing the theft of electronic data by eliminating provisions requiring that the information be stolen through interstate communications, amending the computer fraud statute by eliminating the requirement that damage to a victim s computer exceed $5,000, amending the cyber-extortion statute by expanding the definition of cyberextortion, and ensuring that the Sentencing Commission allows for enhanced sentences imposed on identity thieves whose actions affect multiple victims. 22 Congress has already taken steps to address some of these task force recommendations. Through the Identity Theft Enforcement and Restitution Act of 2008 (Title II of P.L ), Congress, among other things, eliminated provisions in the U.S. Code requiring the illegal conduct to involve interstate or foreign communication, eliminated provisions requiring that damage to a victim s computer amass to $5,000, and expanded the definition of cyber-extortion. However, Congress has not yet addressed the task force recommendation to expand the identity theft and aggravated identity theft statutes to apply to corporations and organizations as well as to individuals, nor has it addressed the recommendation to expand the list of predicate offenses for aggravated identity theft. Issues surrounding these recommendations are analyzed in the section Potential Issues for Congress. 22 Ibid. Congressional Research Service 6

11 Red Flags Rule 23 The Identity Theft Red Flags Rule, issued in 2007, requires creditors and financial institutions to implement identity theft prevention programs. It is implemented pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003 (P.L ). The FACT Act amended the Fair Credit Reporting Act (FCRA) 24 by directing the FTC, along with the federal banking agencies and the National Credit Union Administration, to develop Red Flags guidelines. These guidelines require creditors 25 and financial institutions 26 with covered accounts 27 to develop and institute written identity theft prevention programs. According to the FTC, the identity theft prevention programs required by the rule must provide for identifying patterns, practices, or specific activities known as red flags that could indicate identity theft and then incorporating those red flags into the identity theft prevention program; detecting those red flags that have been incorporated into the identity theft prevention program; responding to the detection of red flags; and updating the identity theft prevention program periodically to reflect any changes in identity theft risks. 28 Possible red flags could include alerts, notifications, or warnings from a consumer reporting agency; 23 The Red Flags Rule is listed in the Code of Federal Regulations at 16 C.F.R The Red Flags Rule was issued jointly by the FTC; the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; and the National Credit Union Administration. The final rules are available in the Federal Register. See Department of the Treasury, Office of the Comptroller of the Currency; Federal Reserve System; Federal Deposit Insurance Corporation; Department of the Treasury, Office of Thrift Supervision; National Credit Union Administration; Federal Trade Commission, Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule, 72 Federal Register , November 9, The FCRA is codified at 15 U.S.C Under the Red Flags Rule, a creditor is defined as any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit, 15 U.S.C. 1691a. The Red Flag Program Clarification Act of 2010 (S. 3987), signed by President Obama on December 18, 2010, limits this definition of a creditor, excluding any creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. 26 Under the Red Flags Rule, a financial institution is defined as a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in 461(b) of title 12) belonging to a consumer, 15 U.S.C. 1681a(t). 27 A covered account is one that is used primarily for personal, family, or household purposes, and that involves multiple payments or transactions. These include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, savings accounts, and other accounts for which there is a foreseeable risk of identity theft. The Rule also requires creditors and financial institutions to periodically determine whether they maintain any covered accounts, 72 Federal Register Federal Trade Commission, Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy, press release, October 31, 2007, Congressional Research Service 7

12 suspicious documents; suspicious personally identifiable information, such as a suspicious address; unusual use of or suspicious activity relating to a covered account; and notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts. 29 The deadline for creditors and financial institutions to comply with the Red Flags Rule was originally set at November 1, However, many of the organizations affected by the Red Flags Rule were not prepared to institute their identity theft prevention programs by this date. Therefore, the FTC moved the deadline to May 1, 2009, 30 further extended the compliance date to November 1, 2009, 31 and later to June 1, The final enforcement date was set at December 31, 2010, 33 and this last extension was, in part, a result of the debate over whether Congress wrote the FACT Act Red Flags provision too broadly by including all entities qualifying as creditors and financial institutions (discussed further below). The effect that the Red Flags Rule will have on the prevalence of identity theft remains uncertain. One potential effect is that the Red Flags Rule may help creditors and financial institutions prevent identity theft by identifying potential lapses in security or suspicious activities that could lead to identity theft. This could possibly lead to an overall decrease in the number of identity theft incidents reported to the FTC, as well as the number of identity theft cases investigated and prosecuted. Once detected, the Red Flags Rule requires that the creditor or financial institution respond to the identified red flag. One response option that creditors and financial institutions might include in their prevention programs is to notify consumers or law enforcement of data breaches that could potentially lead to the theft of consumers personally identifiable information. While notification is not a required element in the identity theft prevention programs, 34 early notification could lead to consumers taking swift action to prevent identity theft or mitigate the severity of the damage that could result if they had not been notified as quickly. When the Red Flags Rule was created, the FTC originally estimated that it would impact approximately 11.1 million creditors and financial institutions required to implement the identity theft prevention programs. 35 The FTC estimated the total annual labor costs (for each of the first three years the rule is in effect) for all creditors and financial institutions covered by the rule to be Federal Trade Commission, FTC Will Grant Six-Month Delay of Enforcement of Red Flags Rule Requiring Creditors and Financial Institutions to Have Identity Theft Prevention Programs, press release, October 22, 2008, 31 Federal Trade Commission, FTC Will Grant Three-Month Delay of Enforcement of Red Flags Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs, press release, April 30, 2009, 32 Federal Trade Commission, FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule, press release, October 30, 2009, 33 Federal Trade Commission, FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule, press release, May 28, 2010, 34 The FTC has published a guide to assist businesses in creating the identity theft prevention programs, available at Federal Trade Commission, Fighting Fraud With the Red Flags Rule: A How-To Guide for Business, March 2009, 35 Identity Theft Red Flags Final Rule, p Congressional Research Service 8

13 about $143 million. 36 Some entities considered creditors or financial institutions under the rule expressed concern that the burden of the rule overlaps with burdens already incurred under other regulations. For example, the American Bar Association (ABA) questioned whether lawyers are considered creditors under the Red Flags Rule because they generally do not require payment until after services are rendered. Further, the American Medical Association indicated that physicians should be exempt from the Red Flags Rule because of patient privacy and security protections required by the Health Insurance Portability and Accountability Act (HIPAA). 37 In addition, there may have been concern that to avoid being considered creditors, some physicians could possibly require full payment at the time of service (rather than allowing deferred payments). This could in turn lead to some patients avoiding potentially necessary treatment if they are unable to pay in full at the time of service; on the other hand, the rule may have no effect on patients willingness to seek medical treatment. The Red Flag Program Clarification Act of 2010 (P.L ), signed by President Obama on December 18, 2010, limits the Red Flags Rule s definition of a creditor, excluding any creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. This legislation does not exempt any broad categories of businesses or entities, but the majority of businesses in certain categories such as physicians would be exempt from Red Flags Rule compliance. The actual effects of the Red Flags Rule including effects on identity theft rates as well as any indirect consequences will not be evident until after full implementation by creditors and financial institutions. Congress may consider monitoring the effects of the impending Red Flags Rule on subsequent identity theft rates. Trends in Identity Theft As previously mentioned, research indicates that in 2010, about 8.1 million Americans were victims of identity theft. This is a decrease of about 3 million from the approximately 11.1 million who were victimized in Consumer complaints of identity theft to the FTC exhibited a corresponding decrease. The FTC received 250,854 consumer complaints of identity theft in 2010, down from 278,356 complaints in However, identity theft incidents reported to the FTC remain a fraction of the estimated victim population. There is a noted difference between the 250,854 complaints received by the FTC in 2010 and survey data indicating that about 8.1 million people were actually victimized. This disparity between research on identity theft victimization and consumer reports could be a result of several factors. For one, while some identity theft victims may file a report with the FTC, others may file complaints with credit bureaus, while still others may file complaints with law enforcement. Not all victims, however, may file complaints with consumer protection entities, credit reporting agencies, and law enforcement. Another possible factor contributing to the disparity is that victims may not for any number of reasons report an identity theft incident. These individuals, however, may be more likely to indicate the incident on a survey prompting them about their experiences with identity theft or fraud. 36 Ibid. Cost estimates are provided by OMB in three-year increments. Therefore, cost estimates for subsequent years are unavailable and could change from the estimates provided for the first three years. 37 Letter from American Medical Association et al. to William E. Kovacic, Chairman, U.S. Federal Trade Commission, September 30, 2008, HIPAA was enacted by P.L Fore more information on HIPAA or health information privacy, see CRS Report R40546, The Privacy and Security Provisions for Health Information in the American Recovery and Reinvestment Act of 2009, by Gina Stevens and Edward C. Liu. 38 Javelin Strategy & Research, 2011 Identity Fraud Survey Report: Consumer Version, February Congressional Research Service 9

14 Since the FTC began recording consumer complaint data in 2000, identity theft has remained the most common consumer fraud complaint. Figure 1 illustrates the number of identity theft complaints received by the FTC between 2000 and 2010 in relation to the number of all other fraud complaints received. According to CRS analysis, since 2000, the number of identity theft complaints has averaged about 35% of the total number of consumer complaints received by the FTC. 39 Figure 1. FTC Consumer Complaint Data Identity Theft and Other Fraud for Total FTC Consumer Fraud Complaints 1,000, , , , , , , , , , , , , , , , Other Fraud Identity Theft Source: CRS presentation of FTC Identity Theft Clearinghouse data. Annual reports for each calendar year are available at Notes: Data indicate the number of identity theft and other fraud complaints received by the FTC each calendar year. According to CRS analysis, between 2000 and 2010, the number of identity theft complaints has averaged about 35% of the total number of consumer complaints received by the FTC. The percentage has ranged between about 22% and about 40%. Identity theft has remained the dominant consumer fraud complaint to the FTC. However, while the number of overall identity theft complaints generally increased between 2000 (when the commission began recording identity theft complaints) and 2008, the number of complaints decreased in both 2009 and Figure 2 illustrates these trends in identity theft complaints reported to the FTC. 39 Between 2000 and 2010, the proportion of consumer fraud complaints that are classified as identity theft complaints has ranged from about 22% to about 40%. The total number of identity theft and other fraud complaints reported to the FTC are available from the annual Identity Theft Clearinghouse Data reports available at reports/sentinel-annual-reports/sentinel-cy2010.pdf. Congressional Research Service 10

15 Figure 2. FTC Identity Theft Complaint Data , , , , ,214 Year , , , ,977 86, , , , , , , , ,000 Total FTC Identity Theft Complaints Source: CRS presentation of FTC Identity Theft Clearinghouse data. Annual reports for each calendar year are available at Notes: Data indicate the number of identity theft complaints received by the FTC each calendar year. Perpetrators Increasing globalization and the expansion of the Internet have provided a challenging environment for law enforcement to both identify and apprehend identity thieves targeting persons residing in the United States. For one, these criminals may be operating from within U.S. borders as well as from beyond. There is no publically available information, however, delineating the proportion of identity theft (or other crimes known to be identity theft-related) committed by domestic and international criminals. 40 Secondly, while some identity thieves operate alone, others operate as part of larger criminal networks or organized crime syndicates. The FBI has indicated that it, for one, targets identity theft investigations on larger criminal networks. 41 These criminal networks may involve identity thieves located in various cities across the United States or in multiple cities around the world, and these criminals may be victimizing not only Americans, but persons living in countries across the globe. In a joint study by Verizon 40 Statistics are available on the proportion of cyber-related crimes committed by perpetrators from various countries. However, only a proportion of those crimes are identity theft crimes, and analysts therefore cannot reliably extrapolate the proportion of identity theft crimes committed by domestic and international criminals. 41 Federal Bureau of Investigation, Financial Crimes Report to the Public, Fiscal Year 2006, publications/financial/fcs_report2006/publicrpt06.pdf. Congressional Research Service 11

16 and the U.S. Secret Service of selected data breaches of businesses around the globe during 2010, 58% of data breaches by external agents sources outside the compromised organization were attributed to organized crime. 42 It is unknown, however, how many of these records compromised by organized crime were used in identity theft and related crimes. A third challenge in identifying identity thieves is that perpetrators may operate under multiple identities including actual identities, various stolen identities, and cyber identities and nicknames. Investigations and Prosecutions As mentioned earlier, identity theft is defined broadly, and it is directly involved in a number of other crimes and frauds. As a result, there are practical investigative implications that influence analysts abilities to understand the true extent of identity theft in the United States. For instance, only a proportion (the exact number of which is unknown) of identity theft incidents are reported to law enforcement. While some instances may be reported to consumer protection agencies (e.g., the FTC), credit reporting agencies (e.g., Equifax, Experian, and Trans Union), and law enforcement agencies, some instances may be reported to only one. For example, the FTC indicates that of the 42% of identity theft complaints that included information on whether the theft was reported to law enforcement, 72% were reported to law enforcement. 43 Another issue that may affect analysts abilities to evaluate the true extent of identity theft is that law enforcement agencies may not uniformly report identity theft because crime incident reporting forms may not necessarily contain specific categories for identity theft. In addition, there may not be standard procedures for recording the identity theft component of the criminal violations of primary concern. 44 Issues such as these may lead to discrepancies between data available on identity theft reported by consumers, identity theft reported by state and local law enforcement, and identity theft investigated and prosecuted by federal law enforcement. Various federal agencies are involved in investigating identity theft, including the Federal Bureau of Investigation (FBI), the United States Secret Service (USSS), the United States Postal Inspection Service (USPIS), the Social Security Administration Office of the Inspector General (SSA OIG), and the U.S. Immigration and Customs Enforcement (ICE). In addition, federal law enforcement agencies may work on task forces with state and local law enforcement as well as with international authorities to bring identity thieves to justice. The Department of Justice (DOJ) is responsible for prosecuting federal identity theft cases. 42 Wade Baker et al., 2011 Data Breach Investigations Report: A Study Conducted by the Verizon RISK Team in Cooperation with the United States Secret Service and the Dutch High Tech Crime Unit, Verizon, 2011, pp , Of note, external agents were involved in 92% of all data breaches. 43 Federal Trade Commission, Consumer Sentinel Network Data Book for January December, 2010, March, 2011, 44 Graeme R. Newman and Megan M. McNally, Identity Theft Literature Review, Prepared for presentation and discussion at the National Institute of Justice Focus Group Meeting to develop a research agenda to identify the most effective avenues of research that will impact on prevention, harm reduction and enforcement, Contract #2005-TO-008, January 2005, Congressional Research Service 12

17 Federal Bureau of Investigation (FBI) The FBI investigates identity theft primarily through its Financial Crimes Section. However, because the nature of identity theft is cross-cutting and may facilitate many other crimes, identity theft is investigated in other sections of the FBI as well. The FBI is involved in over 20 identity theft task forces and working groups around the country. It is also involved in over 80 other financial crimes task forces, which may also investigate cases with identity theft elements. 45 The FBI focuses its identity theft crime fighting resources on those cases involving organized groups of identity thieves and criminal enterprises that affect a large number of victims. 46 The FBI partners with the National White Collar Crime Center (NW3C) to form the Internet Crime Complaint Center (IC3). The IC3 serves the broad law enforcement community to receive, develop, and refer Internet crime complaints including those of identity theft. 47 In 2010, 9.8% of all Internet crime complaints received by the IC3 were that of identity theft. 48 However, other complaint categories such as credit card fraud may have involved incidents of identity theft as well. United States Secret Service (USSS) The USSS serves a dual mission of (1) protecting the nation s financial infrastructure and payment systems to safeguard the economy and (2) protecting national leaders. 49 In carrying out the former part of this mission, the USSS conducts criminal investigations into counterfeiting, financial crimes, computer fraud, and computer-based attacks on the nation s financial and critical infrastructures. The Secret Service has 38 Financial Crimes Task Forces and 31 Electronic Fraud Task Forces that investigate identity theft, as well as a number of other crimes. 50 In FY2010, the Secret Service arrested 4,040 suspects for crimes related to identity theft, and in FY2011, they arrested 4,570 such suspects. 51 United States Postal Inspection Service (USPIS) The USPIS is involved in inter-agency task forces investigating identity theft and is the lead federal investigative agency when identity thieves have used the postal system in conducting their fraudulent activities. The most recent USPIS data indicate that in FY2010, the USPIS participated in 18 identity theft task forces, and postal inspectors arrested 759 identity theft suspects from 45 U.S. Department of Justice, Fact Sheet: The Work of the President s Identity Theft Task Force, September 19, 2006, p. 3, 46 Federal Bureau of Investigation, Financial Crimes Report to the Public, Fiscal Year 2006, publications/financial/fcs_report2006/publicrpt06.pdf. 47 See the IC3 website at Among the many Internet crimes reported to the IC3 are identity theft and phishing. Phishing refers to gathering identity information from victims under false pretences, such as pretending to be a representative of a financial institution collecting personal information to update financial records. 48 The IC3 received a total of 303,809 Internet crime complaints. However, it did not make publically available the exact number of these complaints which were identity theft complaints, but rather indicated that identity theft made up about 9.8% of total Internet crime complaints. Internet Crime Complaint Center, 2010 Internet Crime Report, U.S.C U.S. Secret Service, United States Secret Service, Fiscal Year 2010 Annual Report, USSS2010AYweb.pdf. 51 Information provided to CRS by the USSS office of Congressional Affairs. Congressional Research Service 13

18 both USPIS investigations and task force investigations in which the USPIS was involved. 52 In addition to investigating identity theft, the USPIS has been involved in delivering educational presentations to consumer groups to assist in preventing identity theft, and inspectors are involved in sponsoring outreach programs for victims of identity theft; in FY2010, they provided 667 cases of identity theft victim assistance. 53 Examples of victim services include notifying victims of potential identity theft if the USPIS discovers compromised identities as well as assisting in victim restitution by providing victims money from the funds forfeited as a result of USPIS identity theft investigations. 54 Social Security Administration Office of the Inspector General (SSA OIG) Because the theft and misuse of Social Security numbers (SSNs) is one of the primary modes of identity theft, the SSA OIG is involved in investigating identity theft. The SSA has programs to assist victims of identity theft who have had their SSNs stolen or misused by placing fraud alerts on their credit files, replacing Social Security cards, issuing new Social Security numbers in specific instances, and helping to correct victims earnings records. 55 The SSA OIG protects the integrity of the SSN by investigating and detecting fraud, waste, and abuse. It also determines how the use or misuse of SSNs influences programs administered by the SSA. The SSA OIG is involved in providing a limited range of SSN verification for law enforcement agencies. Further, the SSA OIG maintains a hotline for consumers to report identity theft, and then these data are transferred to the FTC to be included in their consumer complaint database. 56 Immigration and Customs Enforcement The U.S. Immigration and Customs Enforcement (ICE) investigates cases involving identity theft, particularly immigration cases that involve document and benefit fraud. In FY2008, ICE conducted 3,636 investigations of document and benefit fraud. In addition, it made 1,652 criminal arrests and seized about $10.3 million related to document and benefit fraud. 57 In 2006, ICE created Document and Benefit Fraud Task Forces (DBFTFs). These DBFTFs, located in 18 cities throughout the United States, are aimed at dismantling and seizing the financial assets of criminal organizations that threaten the nation s security by engaging in document and benefits fraud. Department of Justice The U.S. Attorneys Offices (USAOs) prosecute federal identity theft cases referred by the various investigative agencies. CRS was unable to determine the proportion of identity theft cases 52 Data provided to CRS by the USPIS Office of Congressional Affairs, November 30, U.S. Postal Inspection Service, U.S. Postal Inspection Service Annual Report FY2010, 54 United States Postal Inspection Service, FY2007 Annual Report of Investigations of the United States Postal Inspection Service, January 2008, pp , 55 Social Security Administration, Identity Theft Fact Sheet, October 2006, idtheft.htm. 56 Information provided to CRS by the Social Security Administration, Office of the Inspector General, Office of Congressional Affairs, March 25, U.S. Immigration and Customs Enforcement, ICE Fiscal Year 2008 Annual Report: Protecting National Security and Upholding Public Safety, 2008, p. iv, Congressional Research Service 14